From 803e2ae889d9a9872c3f4ec3a0fafd95f127491c Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Sun, 21 May 2023 15:55:25 +0300 Subject: [PATCH 01/31] Update package.json --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 7d5c7c32226..8f6adb419e2 100644 --- a/package.json +++ b/package.json @@ -146,7 +146,6 @@ "html-entities": "^1.3.1", "i18n": "^0.11.1", "js-yaml": "^3.14.0", - "jsonwebtoken": "0.4.0", "jssha": "^3.1.1", "juicy-chat-bot": "~0.7.1", "libxmljs2": "^0.32.0", From bf82f6b45cf205b49aa3e49da6b9144e271dcaa2 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Sun, 21 May 2023 16:34:15 +0300 Subject: [PATCH 02/31] fixed vulns --- .cm/jit.cm | 75 ++++++++++++++++++++++++++++++++++ data/static/users.yml | 2 - lib/insecurity.ts | 1 - package.json | 3 -- routes/likeProductReviews.ts | 2 +- routes/updateProductReviews.ts | 13 ------ test/smoke/Dockerfile | 1 - 7 files changed, 76 insertions(+), 21 deletions(-) create mode 100644 .cm/jit.cm diff --git a/.cm/jit.cm b/.cm/jit.cm new file mode 100644 index 00000000000..b89a9e0b91c --- /dev/null +++ b/.cm/jit.cm @@ -0,0 +1,75 @@ +manifest: + version: 1.0 +automations: + # Add labels + vulnerabilities: + if: + - {{ sonar.vulnerabilities.count > 0}} + run: + - action: add-label@v1 + args: + label: 'πŸ›‘οΈ x {{ sonar.vulnerabilities.count }} Vulnerabilities' + color: {{ colors.E if (sonar.vulnerabilities.rating == 'E') else (colors.C if (sonar.vulnerabilities.rating == 'C' ) else colors.A) }} + security_hotspots: + if: + - {{ sonar.security_hotspots.count > 0}} + run: + - action: add-label@v1 + args: + label: '🌢️ x {{ sonar.security_hotspots.count }} Security Hotspots' + color: {{ colors.E if (sonar.security_hotspots.rating == 'E') else (colors.C if (sonar.security_hotspots.rating == 'C' ) else colors.A) }} + code_smells: + if: + - {{ sonar.code_smells.count > 0}} + run: + - action: add-label@v1 + args: + label: 'πŸ’© x {{ sonar.code_smells.count }} Code Smells' + color: {{ colors.E if (sonar.code_smells.rating == 'E') else (colors.C if (sonar.code_smells.rating == 'C' ) else colors.A) }} + bugs: + if: + - {{ sonar.bugs.count > 0}} + run: + - action: add-label@v1 + args: + label: '🐞 x {{ sonar.bugs.count }} Bugs' + color: {{ colors.E if (sonar.bugs.rating == 'E') else (colors.C if (sonar.bugs.rating == 'C' ) else colors.A) }} + + mark_outstanding_pr: + if: + - {{ sonar.bugs.count == 0 }} + - {{ sonar.code_smells.count == 0 }} + - {{ sonar.vulnerabilities.count == 0 }} + - {{ sonar.security_hotspots.count == 0 }} + - {{ sonar.duplications == null or sonar.duplications == 0 }} + run: + - action: add-label@v1 + args: + label: 'πŸ’― Safe' + Assign: + # Auto assign Security member + if: + - {{ sonar.code_smells.rating != 'A' or sonar.vulnerabilities.rating != 'A' or sonar.security_hotspots.rating != 'A'}} + run: + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + + jitttt: + if: + - {{ jit.metrics.HIGH > 0}} + run: + - action: add-label@v1 + args: + label: '{{ jit.metrics.HIGH }} high vulns by Jit' + + +sonar: {{ pr | extractSonarFindings }} +#jit: {{ pr | extractJitFindings }} + +colors: + A: '05AA02' + B: 'B6D146' + C: 'EABE05' + D: 'DF8339' + E: 'D4343F' \ No newline at end of file diff --git a/data/static/users.yml b/data/static/users.yml index 24efd550e93..edfe29291bf 100644 --- a/data/static/users.yml +++ b/data/static/users.yml @@ -147,8 +147,6 @@ email: wurstbrot username: wurstbrot password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' - totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH - key: timo role: 'admin' securityQuestion: id: 1 diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 585ad31ae6a..87776eabf9d 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -20,7 +20,6 @@ import * as utils from './utils' import * as z85 from 'z85' export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' -const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' interface ResponseWithUser { status: string diff --git a/package.json b/package.json index 8f6adb419e2..e8a5b92f58c 100644 --- a/package.json +++ b/package.json @@ -119,12 +119,10 @@ "cookie-parser": "^1.4.5", "cors": "^2.8.5", "dottie": "^2.0.2", - "download": "^8.0.0", "errorhandler": "^1.5.1", "exif": "^0.6.0", "express": "^4.17.1", "express-ipfilter": "^1.2.0", - "express-jwt": "0.1.3", "express-rate-limit": "^5.3.0", "express-robots-txt": "^0.4.1", "express-security.txt": "^2.0.0", @@ -132,7 +130,6 @@ "file-stream-rotator": "^0.5.7", "file-type": "^16.1.0", "filesniffer": "^1.0.3", - "finale-rest": "^1.1.1", "fs-extra": "^9.0.1", "fuzzball": "^1.3.0", "glob": "^7.1.6", diff --git a/routes/likeProductReviews.ts b/routes/likeProductReviews.ts index f77e28d2a5e..c1518601bba 100644 --- a/routes/likeProductReviews.ts +++ b/routes/likeProductReviews.ts @@ -15,7 +15,7 @@ module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { const id = req.body.id const user = security.authenticatedUsers.from(req) - db.reviews.findOne({ _id: id }).then((review: Review) => { + db.reviews.findOne({ _id: "a" }).then((review: Review) => { if (!review) { res.status(404).json({ error: 'Not found' }) } else { diff --git a/routes/updateProductReviews.ts b/routes/updateProductReviews.ts index c6d31a3707f..c4e0cf06808 100644 --- a/routes/updateProductReviews.ts +++ b/routes/updateProductReviews.ts @@ -13,19 +13,6 @@ const security = require('../lib/insecurity') // vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { - const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge - db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge - { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge - { $set: { message: req.body.message } }, - { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge - ).then( - (result: { modified: number, original: Array<{ author: any }> }) => { - challengeUtils.solveIf(challenges.noSqlReviewsChallenge, () => { return result.modified > 1 }) // vuln-code-snippet hide-line - challengeUtils.solveIf(challenges.forgedReviewChallenge, () => { return user?.data && result.original[0] && result.original[0].author !== user.data.email && result.modified === 1 }) // vuln-code-snippet hide-line - res.json(result) - }, (err: unknown) => { - res.status(500).json(err) - }) } } // vuln-code-snippet end noSqlReviewsChallenge forgedReviewChallenge diff --git a/test/smoke/Dockerfile b/test/smoke/Dockerfile index 20df9ef06eb..fee38ec8cca 100644 --- a/test/smoke/Dockerfile +++ b/test/smoke/Dockerfile @@ -1,4 +1,3 @@ -FROM alpine RUN apk add curl From 4bb0105f9a73083baa34d9ed3d6edb1ea521be1f Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:04:41 +0300 Subject: [PATCH 03/31] cm ignored accept --- .cm/jit.cm | 64 ++++++++++-------------------------------------------- 1 file changed, 12 insertions(+), 52 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b89a9e0b91c..c3ad12ca238 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -1,71 +1,31 @@ manifest: version: 1.0 + automations: - # Add labels - vulnerabilities: - if: - - {{ sonar.vulnerabilities.count > 0}} - run: - - action: add-label@v1 - args: - label: 'πŸ›‘οΈ x {{ sonar.vulnerabilities.count }} Vulnerabilities' - color: {{ colors.E if (sonar.vulnerabilities.rating == 'E') else (colors.C if (sonar.vulnerabilities.rating == 'C' ) else colors.A) }} - security_hotspots: - if: - - {{ sonar.security_hotspots.count > 0}} - run: - - action: add-label@v1 - args: - label: '🌢️ x {{ sonar.security_hotspots.count }} Security Hotspots' - color: {{ colors.E if (sonar.security_hotspots.rating == 'E') else (colors.C if (sonar.security_hotspots.rating == 'C' ) else colors.A) }} - code_smells: + jit_vulns: if: - - {{ sonar.code_smells.count > 0}} - run: - - action: add-label@v1 - args: - label: 'πŸ’© x {{ sonar.code_smells.count }} Code Smells' - color: {{ colors.E if (sonar.code_smells.rating == 'E') else (colors.C if (sonar.code_smells.rating == 'C' ) else colors.A) }} - bugs: - if: - - {{ sonar.bugs.count > 0}} + - {{ jit.metrics.HIGH > 0}} run: - action: add-label@v1 args: - label: '🐞 x {{ sonar.bugs.count }} Bugs' - color: {{ colors.E if (sonar.bugs.rating == 'E') else (colors.C if (sonar.bugs.rating == 'C' ) else colors.A) }} - - mark_outstanding_pr: - if: - - {{ sonar.bugs.count == 0 }} - - {{ sonar.code_smells.count == 0 }} - - {{ sonar.vulnerabilities.count == 0 }} - - {{ sonar.security_hotspots.count == 0 }} - - {{ sonar.duplications == null or sonar.duplications == 0 }} - run: - - action: add-label@v1 - args: - label: 'πŸ’― Safe' - Assign: - # Auto assign Security member - if: - - {{ sonar.code_smells.rating != 'A' or sonar.vulnerabilities.rating != 'A' or sonar.security_hotspots.rating != 'A'}} - run: + label: '{{ jit.metrics.HIGH }} High vulnerabilities' - action: add-reviewers@v1 args: reviewers: [Dudu-linb] - - jitttt: + + jit_ignores: if: - - {{ jit.metrics.HIGH > 0}} + -{{ has_ignored_accept }} run: - action: add-label@v1 args: - label: '{{ jit.metrics.HIGH }} high vulns by Jit' + label: 'jit_ignore_accept' + +jit: {{ pr | extractJitFindings }} +has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} -sonar: {{ pr | extractSonarFindings }} -#jit: {{ pr | extractJitFindings }} +jit_reviews: {{ pr.reviews | filter(attr='commenter', term='jit-ci') }} colors: A: '05AA02' From 43882b98a7fd38436480356d49f2801385794eac Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:12:36 +0300 Subject: [PATCH 04/31] cm ignored accept2 --- .cm/jit.cm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index c3ad12ca238..88bfa5ec9d5 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_ignores: if: - -{{ has_ignored_accept }} + -{{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: @@ -23,7 +23,7 @@ automations: jit: {{ pr | extractJitFindings }} -has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} +# has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} jit_reviews: {{ pr.reviews | filter(attr='commenter', term='jit-ci') }} From 8b00d4d7bdb6be0364e1ee7905b71f21f07c2a45 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:23:08 +0300 Subject: [PATCH 05/31] cm ignored accept3 --- .cm/jit.cm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 88bfa5ec9d5..eaeaa0de75a 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_ignores: if: - -{{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + -{{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: @@ -23,9 +23,7 @@ automations: jit: {{ pr | extractJitFindings }} -# has_ignored_accept: {{ jit_reviews | map(attr='conversations') | map(attr='content') | match(term='#jit_ignore_accept') | some }} - -jit_reviews: {{ pr.reviews | filter(attr='commenter', term='jit-ci') }} +jit_conversations: {{ pr.reviews | filter(attr='commenter', term='jit-ci') | map(attr='conversations') }} colors: A: '05AA02' From 2f6c057199ac35cdaff256941ff66c72f1226281 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:41:35 +0300 Subject: [PATCH 06/31] cm ignored accept4 --- .cm/jit.cm | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index eaeaa0de75a..50ec1f165ea 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -23,11 +23,4 @@ automations: jit: {{ pr | extractJitFindings }} -jit_conversations: {{ pr.reviews | filter(attr='commenter', term='jit-ci') | map(attr='conversations') }} - -colors: - A: '05AA02' - B: 'B6D146' - C: 'EABE05' - D: 'DF8339' - E: 'D4343F' \ No newline at end of file +jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 89dce43be7c015010bc7ab2a7bffcca962c557a9 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:47:47 +0300 Subject: [PATCH 07/31] cm ignored accept4 --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 50ec1f165ea..1a3ea220700 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_ignores: if: - -{{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: From 32c3dee8b3747bde60d1924521914308aa6c225c Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:52:50 +0300 Subject: [PATCH 08/31] cm ignored accept5 --- .cm/jit.cm | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.cm/jit.cm b/.cm/jit.cm index 1a3ea220700..8f0c370c8dd 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,6 +21,18 @@ automations: args: label: 'jit_ignore_accept' + show_changed_files: + if: + - true + run: + - action: add-comment@v1 + args: + comment: | + 1 {{ jit_conversations | dump | safe }} + 2 {{ jit_conversations | map(attr='content') | dump | safe }} + 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} + 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} + jit: {{ pr | extractJitFindings }} jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 0c9fdf32eaf046e794c0ade5480e3dbcec135df2 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 12:55:04 +0300 Subject: [PATCH 09/31] cm ignored accept --- .cm/jit.cm | 77 ++++++++++++++---------------------------------------- 1 file changed, 20 insertions(+), 57 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b89a9e0b91c..8f0c370c8dd 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -1,75 +1,38 @@ manifest: version: 1.0 + automations: - # Add labels - vulnerabilities: - if: - - {{ sonar.vulnerabilities.count > 0}} - run: - - action: add-label@v1 - args: - label: 'πŸ›‘οΈ x {{ sonar.vulnerabilities.count }} Vulnerabilities' - color: {{ colors.E if (sonar.vulnerabilities.rating == 'E') else (colors.C if (sonar.vulnerabilities.rating == 'C' ) else colors.A) }} - security_hotspots: + jit_vulns: if: - - {{ sonar.security_hotspots.count > 0}} + - {{ jit.metrics.HIGH > 0}} run: - action: add-label@v1 args: - label: '🌢️ x {{ sonar.security_hotspots.count }} Security Hotspots' - color: {{ colors.E if (sonar.security_hotspots.rating == 'E') else (colors.C if (sonar.security_hotspots.rating == 'C' ) else colors.A) }} - code_smells: - if: - - {{ sonar.code_smells.count > 0}} - run: - - action: add-label@v1 + label: '{{ jit.metrics.HIGH }} High vulnerabilities' + - action: add-reviewers@v1 args: - label: 'πŸ’© x {{ sonar.code_smells.count }} Code Smells' - color: {{ colors.E if (sonar.code_smells.rating == 'E') else (colors.C if (sonar.code_smells.rating == 'C' ) else colors.A) }} - bugs: + reviewers: [Dudu-linb] + + jit_ignores: if: - - {{ sonar.bugs.count > 0}} + - {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: - label: '🐞 x {{ sonar.bugs.count }} Bugs' - color: {{ colors.E if (sonar.bugs.rating == 'E') else (colors.C if (sonar.bugs.rating == 'C' ) else colors.A) }} + label: 'jit_ignore_accept' - mark_outstanding_pr: + show_changed_files: if: - - {{ sonar.bugs.count == 0 }} - - {{ sonar.code_smells.count == 0 }} - - {{ sonar.vulnerabilities.count == 0 }} - - {{ sonar.security_hotspots.count == 0 }} - - {{ sonar.duplications == null or sonar.duplications == 0 }} - run: - - action: add-label@v1 - args: - label: 'πŸ’― Safe' - Assign: - # Auto assign Security member - if: - - {{ sonar.code_smells.rating != 'A' or sonar.vulnerabilities.rating != 'A' or sonar.security_hotspots.rating != 'A'}} + - true run: - - action: add-reviewers@v1 + - action: add-comment@v1 args: - reviewers: [Dudu-linb] - - jitttt: - if: - - {{ jit.metrics.HIGH > 0}} - run: - - action: add-label@v1 - args: - label: '{{ jit.metrics.HIGH }} high vulns by Jit' - + comment: | + 1 {{ jit_conversations | dump | safe }} + 2 {{ jit_conversations | map(attr='content') | dump | safe }} + 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} + 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} -sonar: {{ pr | extractSonarFindings }} -#jit: {{ pr | extractJitFindings }} +jit: {{ pr | extractJitFindings }} -colors: - A: '05AA02' - B: 'B6D146' - C: 'EABE05' - D: 'DF8339' - E: 'D4343F' \ No newline at end of file +jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 4ae68c1e4660e35a62901f0e2dc1d4aa9c235af0 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 13:22:40 +0300 Subject: [PATCH 10/31] cm ignored accept2 --- .cm/jit.cm | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 8f0c370c8dd..1a3ea220700 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,18 +21,6 @@ automations: args: label: 'jit_ignore_accept' - show_changed_files: - if: - - true - run: - - action: add-comment@v1 - args: - comment: | - 1 {{ jit_conversations | dump | safe }} - 2 {{ jit_conversations | map(attr='content') | dump | safe }} - 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} - 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} - jit: {{ pr | extractJitFindings }} jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From fd348f7a3ae166d85163af7fbd3be3a22990388c Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 13:27:35 +0300 Subject: [PATCH 11/31] cm ignored accept0 --- .cm/jit.cm | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 8f0c370c8dd..1a3ea220700 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,18 +21,6 @@ automations: args: label: 'jit_ignore_accept' - show_changed_files: - if: - - true - run: - - action: add-comment@v1 - args: - comment: | - 1 {{ jit_conversations | dump | safe }} - 2 {{ jit_conversations | map(attr='content') | dump | safe }} - 3 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | dump | safe }} - 4 {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some | dump | safe }} - jit: {{ pr | extractJitFindings }} jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file From 0a8ae9e62ad542a0353009da14b93c089107370c Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 14:33:25 +0300 Subject: [PATCH 12/31] cm ignored accept0 --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 1a3ea220700..79f80d72b5a 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -23,4 +23,4 @@ automations: jit: {{ pr | extractJitFindings }} -jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} \ No newline at end of file +jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} From 273dcbc7bee27758a51ee38e938cd078bcd34621 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 14:45:20 +0300 Subject: [PATCH 13/31] cm ignored accept0 --- .cm/jit.cm | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 79f80d72b5a..c0914d9a6f3 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,12 +15,10 @@ automations: jit_ignores: if: - - {{ jit_conversations | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: label: 'jit_ignore_accept' jit: {{ pr | extractJitFindings }} - -jit_conversations: {{ pr.conversations | filter(attr='commenter', term='jit-ci') }} From 6df1227618b981a6e584ea9050efab2f2da2e016 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Mon, 22 May 2023 14:53:08 +0300 Subject: [PATCH 14/31] cm jit dump --- .cm/jit.cm | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.cm/jit.cm b/.cm/jit.cm index c0914d9a6f3..b415de12bfe 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -21,4 +21,13 @@ automations: args: label: 'jit_ignore_accept' + show_changed_files: + if: + - true + run: + - action: add-comment@v1 + args: + comment: | + 1 {{ jit | dump | safe }} + jit: {{ pr | extractJitFindings }} From e5b00ae81acd323b619ef90b1bbb4784918a01ea Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Mon, 22 May 2023 16:33:35 +0300 Subject: [PATCH 15/31] Update jit.cm --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b415de12bfe..ed154313ad0 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -8,7 +8,7 @@ automations: run: - action: add-label@v1 args: - label: '{{ jit.metrics.HIGH }} High vulnerabilities' + label: 'πŸ›‘οΈ x {{ jit.metrics.HIGH }} High vulnerabilities' - action: add-reviewers@v1 args: reviewers: [Dudu-linb] From a5f954b100f696f419c7f1da952d85135f7477ff Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Mon, 22 May 2023 16:34:22 +0300 Subject: [PATCH 16/31] Update jit.cm --- .cm/jit.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index ed154313ad0..cb97ebd6146 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -19,7 +19,7 @@ automations: run: - action: add-label@v1 args: - label: 'jit_ignore_accept' + label: 'πŸ™ˆ jit_ignore_accept' show_changed_files: if: From 4f5f6c54a86632bc1de1f25ed830f7bb4e0b048f Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 23 May 2023 10:58:38 +0300 Subject: [PATCH 17/31] Jit find secrets --- .cm/jit.cm | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index b415de12bfe..1e605de5969 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,13 +15,21 @@ automations: jit_ignores: if: - - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ pr.conversations | match(attr='commenter', term='jit-ci') | some }} + run: + - action: add-label@v1 + args: + label: "🀫 PR with secrets" + + jit_secretss: + if: + - {{ jit.vulnerabilities | filter(attr='security_control', term='Secret Detection') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: label: 'jit_ignore_accept' - show_changed_files: + debug: if: - true run: From 00b092cf1dd4188ffc6ce5884c37d17e963edf22 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 23 May 2023 11:00:41 +0300 Subject: [PATCH 18/31] Jit find secrets --- .cm/jit.cm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index 2e13ec994c3..ada93463bf2 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -13,7 +13,7 @@ automations: args: reviewers: [Dudu-linb] - jit_ignores: + jit_secretss: if: - {{ pr.conversations | match(attr='commenter', term='jit-ci') | some }} run: @@ -21,7 +21,7 @@ automations: args: label: "🀫 PR with secrets" - jit_secretss: + jit_ignores: if: - {{ jit.vulnerabilities | filter(attr='security_control', term='Secret Detection') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: From ee82a093259785fbbc7d7bc423edd885bdf762af Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Tue, 23 May 2023 11:17:54 +0300 Subject: [PATCH 19/31] Update jit.cm --- .cm/jit.cm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.cm/jit.cm b/.cm/jit.cm index ada93463bf2..0ee42e46428 100644 --- a/.cm/jit.cm +++ b/.cm/jit.cm @@ -15,7 +15,7 @@ automations: jit_secretss: if: - - {{ pr.conversations | match(attr='commenter', term='jit-ci') | some }} + - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }} run: - action: add-label@v1 args: @@ -23,7 +23,7 @@ automations: jit_ignores: if: - - {{ jit.vulnerabilities | filter(attr='security_control', term='Secret Detection') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: From 254299d87c5f8081cc7194d2124e7a4d479d5ff9 Mon Sep 17 00:00:00 2001 From: Yeela Lifshitz <52451294+yeelali14@users.noreply.github.com> Date: Mon, 29 May 2023 15:26:05 +0300 Subject: [PATCH 20/31] Update and rename jit.cm to jit-and-sonar.cm --- .cm/jit-and-sonar.cm | 100 +++++++++++++++++++++++++++++++++++++++++++ .cm/jit.cm | 41 ------------------ 2 files changed, 100 insertions(+), 41 deletions(-) create mode 100644 .cm/jit-and-sonar.cm delete mode 100644 .cm/jit.cm diff --git a/.cm/jit-and-sonar.cm b/.cm/jit-and-sonar.cm new file mode 100644 index 00000000000..c89c506f971 --- /dev/null +++ b/.cm/jit-and-sonar.cm @@ -0,0 +1,100 @@ +# -*- mode: yaml -*- + +manifest: + version: 1.0 + +config: + admin: + users: ['EladKohavi'] + +automations: + mark_bugs: + if: + - {{ sonar.bugs.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.bugs.count }} Bugs 🐞' + color: {{ colors.bugs }} + mark_code_smell: + if: + - {{ sonar.code_smells.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.code_smells.count }} Code Smells πŸ’©' + color: {{ colors.code_smells }} + mark_security_hotspots: + if: + - {{ sonar.security_hotspots.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.security_hotspots.count }} Security hotspots 🌢️' + color: {{ colors.security_hotspots }} + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + mark_outstanding_pr: + if: + - {{ sonar.bugs.count == 0 }} + - {{ sonar.code_smells.count == 0 }} + - {{ sonar.vulnerabilities.count == 0 }} + - {{ sonar.security_hotspots.count == 0 }} + - {{ sonar.duplications == null or sonar.duplications == 0.0 }} + run: + - action: add-label@v1 + args: + label: 'βœ… Sonar: Clean Code' + color: 'ABEBC6' + high_duplications: + if: + - {{ sonar.duplications > 40 }} + run: + - action: request-changes@v1 + args: + comment: | + High percentage of duplications in code. Please fix! + - action: add-label@v1 + args: + label: '{{ sonar.duplications }} Duplications πŸ‘―' + color: {{ colors.duplications }} + mark_vulnerabilities: + if: + - {{ sonar.vulnerabilities.count > 0 }} + run: + - action: add-label@v1 + args: + label: '{{ sonar.vulnerabilities.count }} Vulnerabilities πŸ›‘οΈ' + color: {{ colors.vulnerabilities }} + jit_vulns: + if: + - {{ jit.metrics.HIGH > 0}} + run: + - action: add-label@v1 + args: + label: 'πŸ›‘οΈ x {{ jit.metrics.HIGH }} High vulnerabilities' + - action: add-reviewers@v1 + args: + reviewers: [Dudu-linb] + + jit_secretss: + if: + - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }} + run: + - action: add-label@v1 + args: + label: "🀫 PR with secrets" + + jit_ignores: + if: + - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + run: + - action: add-label@v1 + args: + label: 'πŸ™ˆ jit_ignore_accept' + + + +sonar: {{ pr | extractSonarFindings }} +jit: {{ pr | extractJitFindings }} diff --git a/.cm/jit.cm b/.cm/jit.cm deleted file mode 100644 index 0ee42e46428..00000000000 --- a/.cm/jit.cm +++ /dev/null @@ -1,41 +0,0 @@ -manifest: - version: 1.0 - -automations: - jit_vulns: - if: - - {{ jit.metrics.HIGH > 0}} - run: - - action: add-label@v1 - args: - label: 'πŸ›‘οΈ x {{ jit.metrics.HIGH }} High vulnerabilities' - - action: add-reviewers@v1 - args: - reviewers: [Dudu-linb] - - jit_secretss: - if: - - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }} - run: - - action: add-label@v1 - args: - label: "🀫 PR with secrets" - - jit_ignores: - if: - - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} - run: - - action: add-label@v1 - args: - label: 'πŸ™ˆ jit_ignore_accept' - - debug: - if: - - true - run: - - action: add-comment@v1 - args: - comment: | - 1 {{ jit | dump | safe }} - -jit: {{ pr | extractJitFindings }} From 0c236174fb23042f3a5f81d0e7de7be88d43becf Mon Sep 17 00:00:00 2001 From: Yeela Lifshitz <52451294+yeelali14@users.noreply.github.com> Date: Mon, 29 May 2023 15:38:08 +0300 Subject: [PATCH 21/31] Update jit-and-sonar.cm --- .cm/jit-and-sonar.cm | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.cm/jit-and-sonar.cm b/.cm/jit-and-sonar.cm index c89c506f971..74d5d893a46 100644 --- a/.cm/jit-and-sonar.cm +++ b/.cm/jit-and-sonar.cm @@ -46,7 +46,7 @@ automations: - action: add-label@v1 args: label: 'βœ… Sonar: Clean Code' - color: 'ABEBC6' + color: '0e8a16' high_duplications: if: - {{ sonar.duplications > 40 }} @@ -98,3 +98,9 @@ automations: sonar: {{ pr | extractSonarFindings }} jit: {{ pr | extractJitFindings }} +colors: + code_smells: 'D2B48C' + bugs: 'FAA0A0' + vulnerabilities: 'F3E5AB' + security_hotspots: 'F89880' + duplications: 'D7BDE2' From efef0addcdc2abf45fef17299d9facc43040f7aa Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 6 Jun 2023 12:45:40 +0300 Subject: [PATCH 22/31] added security manager cm --- .cm/SecurityManager.cm | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .cm/SecurityManager.cm diff --git a/.cm/SecurityManager.cm b/.cm/SecurityManager.cm new file mode 100644 index 00000000000..e66aff2c68a --- /dev/null +++ b/.cm/SecurityManager.cm @@ -0,0 +1,36 @@ +manifest: + version: 1.0 + +automations: + debug: + if: + - true + run: + - action: add-comment@v1 + args: + comment: | + PR: {{ pr | dump | safe }} + + Security_comment: + if: + - {{ jit.metrics.HIGH > 0}} + run: + - action: add-comment@v1 + args: + comment: | + This PR failed due to High severity vulnerability finding, if you don’t fix it please select: + [] I need help with that fix. + [] I want to accept the risk, please approve. + [] This is false positive, please approve. + [] This is a test / simulator environment, please exclude. + + Core service update + (Updates API) +# Security_comment_response: +# if: +# - {{ pr.conversations | filter(attr='commenter', term='gitStream') | }} + + + + +jit: {{ pr | extractJitFindings }} \ No newline at end of file From ebd2adad7f3f5b87f5cf6e5faa22c9bcca73969d Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 6 Jun 2023 12:49:20 +0300 Subject: [PATCH 23/31] added security manager cm --- .cm/SecurityManager.cm | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.cm/SecurityManager.cm b/.cm/SecurityManager.cm index e66aff2c68a..632e61a2564 100644 --- a/.cm/SecurityManager.cm +++ b/.cm/SecurityManager.cm @@ -16,16 +16,14 @@ automations: - {{ jit.metrics.HIGH > 0}} run: - action: add-comment@v1 - args: - comment: | - This PR failed due to High severity vulnerability finding, if you don’t fix it please select: - [] I need help with that fix. - [] I want to accept the risk, please approve. - [] This is false positive, please approve. - [] This is a test / simulator environment, please exclude. + args: + comment: | + This PR failed due to High severity vulnerability finding, if you don’t fix it please select: + [] I need help with that fix. + [] I want to accept the risk, please approve. + [] This is false positive, please approve. + [] This is a test / simulator environment, please exclude. - Core service update - (Updates API) # Security_comment_response: # if: # - {{ pr.conversations | filter(attr='commenter', term='gitStream') | }} From 81fc4c3d471264f3de35dc2cae992286fb24d09f Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 6 Jun 2023 12:53:20 +0300 Subject: [PATCH 24/31] added security manager cm --- .cm/SecurityManager.cm | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.cm/SecurityManager.cm b/.cm/SecurityManager.cm index 632e61a2564..fe0a7174d4d 100644 --- a/.cm/SecurityManager.cm +++ b/.cm/SecurityManager.cm @@ -18,17 +18,10 @@ automations: - action: add-comment@v1 args: comment: | - This PR failed due to High severity vulnerability finding, if you don’t fix it please select: + This PR failed due to High severity vulnerability finding, if you don't fix it please select: [] I need help with that fix. [] I want to accept the risk, please approve. [] This is false positive, please approve. [] This is a test / simulator environment, please exclude. -# Security_comment_response: -# if: -# - {{ pr.conversations | filter(attr='commenter', term='gitStream') | }} - - - - jit: {{ pr | extractJitFindings }} \ No newline at end of file From fbbf10dd9e08e203087ded4dc780c56bc91f815f Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 6 Jun 2023 13:17:38 +0300 Subject: [PATCH 25/31] added security manager cm --- .cm/SecurityManager.cm | 16 ++++++++++++---- .cm/jit-and-sonar.cm | 2 +- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.cm/SecurityManager.cm b/.cm/SecurityManager.cm index fe0a7174d4d..fffaec0ebff 100644 --- a/.cm/SecurityManager.cm +++ b/.cm/SecurityManager.cm @@ -19,9 +19,17 @@ automations: args: comment: | This PR failed due to High severity vulnerability finding, if you don't fix it please select: - [] I need help with that fix. - [] I want to accept the risk, please approve. - [] This is false positive, please approve. - [] This is a test / simulator environment, please exclude. + - [ ] I need help with that fix. + - [ ] I want to accept the risk, please approve. + - [ ] This is false positive, please approve. + - [ ] This is a test / simulator environment, please exclude. + + Security_comment_response: + if: + - {{ pr.conversations | filter(attr='commenter', term='gitstream-cm') | filter (attr='content', term='- [x] I need help with that fix.') | some}} + run: + - action: add-label@v1 + args: + label: "Fix pending" jit: {{ pr | extractJitFindings }} \ No newline at end of file diff --git a/.cm/jit-and-sonar.cm b/.cm/jit-and-sonar.cm index 74d5d893a46..0fd5f8b7898 100644 --- a/.cm/jit-and-sonar.cm +++ b/.cm/jit-and-sonar.cm @@ -88,7 +88,7 @@ automations: jit_ignores: if: - - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} + - {{ pr.conversations | reject(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }} run: - action: add-label@v1 args: From fe95bcdda2a5696fad46c0fad7a1465d03dba34d Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 6 Jun 2023 13:33:45 +0300 Subject: [PATCH 26/31] added security manager cm --- .cm/SecurityManager.cm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.cm/SecurityManager.cm b/.cm/SecurityManager.cm index fffaec0ebff..1d523e8046b 100644 --- a/.cm/SecurityManager.cm +++ b/.cm/SecurityManager.cm @@ -13,7 +13,7 @@ automations: Security_comment: if: - - {{ jit.metrics.HIGH > 0}} + - {{ (jit.metrics.HIGH > 0) and not (pr.conversations | filter(attr='commenter', term='gitstream-cm') | filter (attr='content', term='This PR failed due to High severity vulnerability finding, if you don't fix it please select:') | some )}} run: - action: add-comment@v1 args: From 14dc9bd32c03a724ab6bc5c6dda18d604acaf7a7 Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 6 Jun 2023 13:50:01 +0300 Subject: [PATCH 27/31] changes to securityManager.cm --- .cm/SecurityManager.cm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.cm/SecurityManager.cm b/.cm/SecurityManager.cm index 1d523e8046b..b3903731ee3 100644 --- a/.cm/SecurityManager.cm +++ b/.cm/SecurityManager.cm @@ -13,7 +13,8 @@ automations: Security_comment: if: - - {{ (jit.metrics.HIGH > 0) and not (pr.conversations | filter(attr='commenter', term='gitstream-cm') | filter (attr='content', term='This PR failed due to High severity vulnerability finding, if you don't fix it please select:') | some )}} + - {{ jit.metrics.HIGH > 0 }} + - {{ pr.conversations | filter(attr='commenter', term='gitstream-cm') | filter (attr='content', term='This PR failed due to High severity vulnerability finding, if you don't fix it please select:') | nope }} run: - action: add-comment@v1 args: From 95169dc0eefe3eaaf08cfc3ab248ec4bcf92135d Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Sun, 21 May 2023 16:39:32 +0300 Subject: [PATCH 28/31] vulnerabilities --- data/static/users.yml | 2 ++ lib/insecurity.ts | 1 + package.json | 3 +++ routes/likeProductReviews.ts | 2 +- routes/updateProductReviews.ts | 13 +++++++++++++ test/smoke/Dockerfile | 1 + 6 files changed, 21 insertions(+), 1 deletion(-) diff --git a/data/static/users.yml b/data/static/users.yml index edfe29291bf..24efd550e93 100644 --- a/data/static/users.yml +++ b/data/static/users.yml @@ -147,6 +147,8 @@ email: wurstbrot username: wurstbrot password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' + totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH + key: timo role: 'admin' securityQuestion: id: 1 diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 87776eabf9d..585ad31ae6a 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -20,6 +20,7 @@ import * as utils from './utils' import * as z85 from 'z85' export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' +const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' interface ResponseWithUser { status: string diff --git a/package.json b/package.json index e8a5b92f58c..8f6adb419e2 100644 --- a/package.json +++ b/package.json @@ -119,10 +119,12 @@ "cookie-parser": "^1.4.5", "cors": "^2.8.5", "dottie": "^2.0.2", + "download": "^8.0.0", "errorhandler": "^1.5.1", "exif": "^0.6.0", "express": "^4.17.1", "express-ipfilter": "^1.2.0", + "express-jwt": "0.1.3", "express-rate-limit": "^5.3.0", "express-robots-txt": "^0.4.1", "express-security.txt": "^2.0.0", @@ -130,6 +132,7 @@ "file-stream-rotator": "^0.5.7", "file-type": "^16.1.0", "filesniffer": "^1.0.3", + "finale-rest": "^1.1.1", "fs-extra": "^9.0.1", "fuzzball": "^1.3.0", "glob": "^7.1.6", diff --git a/routes/likeProductReviews.ts b/routes/likeProductReviews.ts index c1518601bba..f77e28d2a5e 100644 --- a/routes/likeProductReviews.ts +++ b/routes/likeProductReviews.ts @@ -15,7 +15,7 @@ module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { const id = req.body.id const user = security.authenticatedUsers.from(req) - db.reviews.findOne({ _id: "a" }).then((review: Review) => { + db.reviews.findOne({ _id: id }).then((review: Review) => { if (!review) { res.status(404).json({ error: 'Not found' }) } else { diff --git a/routes/updateProductReviews.ts b/routes/updateProductReviews.ts index c4e0cf06808..c6d31a3707f 100644 --- a/routes/updateProductReviews.ts +++ b/routes/updateProductReviews.ts @@ -13,6 +13,19 @@ const security = require('../lib/insecurity') // vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { + const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge + db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge + { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge + { $set: { message: req.body.message } }, + { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge + ).then( + (result: { modified: number, original: Array<{ author: any }> }) => { + challengeUtils.solveIf(challenges.noSqlReviewsChallenge, () => { return result.modified > 1 }) // vuln-code-snippet hide-line + challengeUtils.solveIf(challenges.forgedReviewChallenge, () => { return user?.data && result.original[0] && result.original[0].author !== user.data.email && result.modified === 1 }) // vuln-code-snippet hide-line + res.json(result) + }, (err: unknown) => { + res.status(500).json(err) + }) } } // vuln-code-snippet end noSqlReviewsChallenge forgedReviewChallenge diff --git a/test/smoke/Dockerfile b/test/smoke/Dockerfile index fee38ec8cca..20df9ef06eb 100644 --- a/test/smoke/Dockerfile +++ b/test/smoke/Dockerfile @@ -1,3 +1,4 @@ +FROM alpine RUN apk add curl From 327b2b83e6dfe531019765eeaf0474982c1a62c3 Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Mon, 22 May 2023 12:56:56 +0300 Subject: [PATCH 29/31] Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 408174dd00d..47df135bfa8 100644 --- a/README.md +++ b/README.md @@ -325,3 +325,14 @@ OWASP Juice Shop and any contributions are Copyright Β© by Bjoern Kimminich & th 2014-2023. ![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) +123456πŸ™ˆπŸ€« +! +comment1 +fix cm 2 +read comment +clean +aaaa +a +a +aaa +aaa From 04efc67a02d8528fb9d1735dfd284c0c567884a5 Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Tue, 6 Jun 2023 14:23:53 +0300 Subject: [PATCH 30/31] Update README.md --- README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/README.md b/README.md index 47df135bfa8..b6dd6b4beb1 100644 --- a/README.md +++ b/README.md @@ -326,13 +326,3 @@ OWASP Juice Shop and any contributions are Copyright Β© by Bjoern Kimminich & th ![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) 123456πŸ™ˆπŸ€« -! -comment1 -fix cm 2 -read comment -clean -aaaa -a -a -aaa -aaa From 169dd50c53bb95e3fb47f0321921682d1947add6 Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Tue, 6 Jun 2023 14:24:45 +0300 Subject: [PATCH 31/31] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b6dd6b4beb1..c0bca98183f 100644 --- a/README.md +++ b/README.md @@ -326,3 +326,4 @@ OWASP Juice Shop and any contributions are Copyright Β© by Bjoern Kimminich & th ![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) 123456πŸ™ˆπŸ€« +Update!